https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15804#M2000 <P>I am trying to compare the results of two searches that share a common timeframe and index, with a negation. The common resulting field may occur multiple times in both searches. As an example:</P> <P>Search 1:</P> <PRE><CODE>index="stuff" status="LoginSuccessful" </CODE></PRE> <P>and Search 2 is:</P> <PRE><CODE>index="stuff" status="LoginFailed" </CODE></PRE> <P>If username is in an event in search 2 but <STRONG>NOT</STRONG> in an event in search 1, I want to see it. (So, show me all of the users that had a failed login and never had a successful login.) </P> <P>The only way I have found to do this is to output one set of results to a csv and use lookup to search one. Even if this were two separate indices, I'm not clear on how you would negate the results of an entire join.</P> <P>I figure there has to be a simpler way to do this...</P> Sat, 19 Jun 2010 06:21:11 GMT Tisiphone_1 2010-06-19T06:21:11Z https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15804#M2000 <P>I am trying to compare the results of two searches that share a common timeframe and index, with a negation. The common resulting field may occur multiple times in both searches. As an example:</P> <P>Search 1:</P> <PRE><CODE>index="stuff" status="LoginSuccessful" </CODE></PRE> <P>and Search 2 is:</P> <PRE><CODE>index="stuff" status="LoginFailed" </CODE></PRE> <P>If username is in an event in search 2 but <STRONG>NOT</STRONG> in an event in search 1, I want to see it. (So, show me all of the users that had a failed login and never had a successful login.) </P> <P>The only way I have found to do this is to output one set of results to a csv and use lookup to search one. Even if this were two separate indices, I'm not clear on how you would negate the results of an entire join.</P> <P>I figure there has to be a simpler way to do this...</P> Sat, 19 Jun 2010 06:21:11 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15804#M2000 Tisiphone_1 2010-06-19T06:21:11Z https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15805#M2001 <P>There are several easier ways to do this. An efficient way is:</P> <PRE><CODE> index=stuff status=loginsuccessful OR status=loginfailed | stats count(eval(status=="LoginSuccessful")) as c_success, count((eval(status=="LoginFailed"))) as c_failure by user | where c_failure &gt; 0 AND c_success == 0 </CODE></PRE> <P>Similar (but somewhat less amenable to map-reduce treatment than the previous, if you have multiple indexer nodes) is:</P> <PRE><CODE> index=stuff status=loginsuccessful OR status=loginfailed | transaction user | where status=="LoginFailed" AND NOT status=="LoginSuccessful" </CODE></PRE> <P>And the obvious way (which is just a concise version of what you did) is to use a subsearch:</P> <PRE><CODE> index=stuff status=loginfailed NOT [ search index=stuff status=loginsuccessful | dedup user | fields user ] </CODE></PRE> <P>But this is relatively inefficient and is subject to limits on subsearch and format that must be increased in the system if you have a lot of users.</P> Sat, 19 Jun 2010 08:55:20 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15805#M2001 gkanapathy 2010-06-19T08:55:20Z https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15806#M2002 <P>Thanks! I had my syntax mixed up on the last. Now it works!</P> Sat, 19 Jun 2010 08:58:59 GMT https://community.splunk.com/t5/Splunk-Search/Comparing-two-data-sets-from-the-same-timeframe-and-index/m-p/15806#M2002 Tisiphone_1 2010-06-19T08:58:59Z